On 11/21/13 16:31, Vladimir 'phcoder' Serbinenko wrote: > > Why do you need offset and size options? keyfile option should be > repeteable. The whole array would be passed down and file would be > opened instead before reading password and concatebated with it unless > --no-password was specified as well. If you have remaining questions > feel free to ask here or on IRC. > See man 8 cryptsetup: / --keyfile-offset value// // Skip value bytes at the beginning of the key file. Works with all commands that accepts key files.// // // --keyfile-size, -l value// // Read a maximum of value bytes from the key file. Default is to read the whole file up to the compiled-in maximum that can be queried with --help. Supplying more data than the compiled-in maximum aborts the operation.// // // This option is useful to cut trailing newlines, for example. If --keyfile-offset is also given, the size count starts after the offset. Works with all commands that accepts key files./
> On Nov 20, 2013 12:43 AM, "Ralf Ramsauer" > <ralf+g...@ramses-pyramidenbau.de > <mailto:ralf%2bg...@ramses-pyramidenbau.de>> wrote: > > Hi, > > yesterday I realised, that GRUB is already supporting LUKS and even > simple DSA signature checking. > > I was thinking about the following setup: > - fully encrypted harddisk (LUKS) (incl. rootfs). > - no bootloader on harddisk > - kernel + initrd inside encrypted partition > - optionally: signatures of the kernel + initrd > > For "trusted" booting, I thought about an USB stick, that just > includes > GRUB, a public key for verification and a keyfile for LUKS. > Using that setup, no password input would be required during boot. The > USB stick can be considered as "trusted environment". > > Unfortunately, GRUB doesn't support keyfile for Luks up to now. As I'm > quite familiar with dm-crypt and LUKS I tried to implement the keyfile > feature to GRUB. > After spending several hours trying to get a deeper insight into the > GRUB internas I finally resigned, as I was missing documentation on > several things... > > I was very confused about the way how GRUB2 is handling its > modules and > about the strategies how functions are exactly called. > The aim is to implement three additional options to cryptodisk.c resp. > luks.c: > -k keyfile [e.g. (hd2,msdos3)/mysecretkey] > -o keyfile offset [optional, default: 0] > -s keyfile size [optional, default: keyfilesize] > > Using LUKS, a keyfile can simply be treated like a passphrase, which > basically is already implemented. > > I would appreciate, if perhaps someone of you could help me with > this issue. > > Thanks in advance! > Ralf > > -- > Ralf Ramsauer > > PGP: 0x8F10049B > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org <mailto:Grub-devel@gnu.org> > https://lists.gnu.org/mailman/listinfo/grub-devel > > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel -- Ralf Ramsauer PGP: 0x8F10049B
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
